Friday, February 19, 2016

Right Wing NPR

I was listening to NPR this morning over coffee, and nearly spilled it. Host Steve Inskeep was interviewing Mark Surman, Mozilla founder, on the topic of Apple refusing to hand over the keys to the Iphone to the Federal Government (and anyone who might be able to hack the Federal Government. Oh, right, that's never happened!)

INSKEEP: One last thing, coming back to this San Bernardino case, we don't know what's in that iPhone. We don't even know if it's important. But let's spin out the worst case scenario as a prosecutor might. Suppose your side wins, that phone is never opened, and as a result, the government misses a chance to find some other suspect and disrupt some attack. The attack goes forward, and people are killed. Will that have been worth it in order to protect encryption?

Surman, probably flabbergasted that anyone should ask such a question, changed the subject

SURMAN: We need to find ways to really be able to seek communications before they're sent or after they're sent and actually work with law enforcement on doing this well. There are alternative ways to get information, getting access to it before or after it's encrypted. What we want to avoid is creating a precedent where encryption can be broken by an arbitrary third party.

But Inskeep kept at it

INSKEEP: So you're saying, in essence, it may well be harder to catch terrorists, but you can still work at it, and the extra difficulty is worth it.

Remember, this is cloyingly liberal NPR, not some foaming at the mouth right wing program!

Like Surman, I often am too polite to give the right answer to such shocking questions in real time. But with the benefit of hindsight, here's a better answer

COCHRANE: Well, come to think of it, you're right there Steve. And while you're at it, let's keep going. These pesky first and fourth amendments sure get in the way of law enforcement, don't they? I mean all this business about going out and getting warrants, and waiting for a judge is so time consuming. If a terrorist gets away while you're busy getting a warrant, and people are killed, will that really have been worth it to protect some sort of centuries old procedures? If someone stirs up trouble on a Jihadi website, why do we have to allow that? And this annoying business about grand juries, and presenting evidence, and discovery, and Miranda warnings, it's so burdensome. What if some terrorist gets away and kills someone? The police surely should be allowed to just throw anyone suspicious in jail, to make sure they don't do anything bad. Heck, while you're at it, what's with these prohibitions against torture? Bring back the rack, or start chopping people's fingers off until they talk. If you hold back, and some terrorist kills someone, was your little sense of ethics really worth it?

There is a reason we have all these protections. There is a reason we need to defend them even in times of turmoil.

Perhaps a President Hillary Clinton will bring a sympathetic ear to the right to digital privacy. She undoubtedly wishes her email had been bullet-proof encrypted, not just from the FBI and NSA, but from the Chinese and Russian hackers likely reading every line. Update: I realize from some of the comments that the point may not have been clear. This isn't about the Apple decision. It's moot, really, anyway, as even Apple can't open the new Iphones. And one can make cost/benefit arguments either way. My point was about the argument: We will hear quite often in coming years and decades, the argument that even one terrorist caught is worth sacrificing privacy and civil liberty. Be prepared to answer, to point out there are costs as well as benefits, and to list what they are. And, finally, I sound more critical of Inskeep than I should. In fairness, he does not offer an opinion. He asks a question, one commonly asked, and may well have been floating a t-ball in the hope Surman would smash it out of the park as I attempted to do. Many people will ask that question. It's worth asking, over and over, and rehearsing the answer.

29 comments:

Great answer even if he's right. In reality he isn't right, though. If the government cracks the phone's encryption using Apple signed malware, then this apple signed malware proliferates, how many petty dictators and terrorists around the world will be able kill informants when they crack security on other iPhones? How many billions of dollars will be stolen by hackers who gain access to financial information?

As long as you're spinning hypotheticals, try this one: A terrorist gets away while the FBI is obtaining a warrant. The terrorist is the trigger man for a cataclysmic event (e.g., the release of a massive electromagnetic pulse that destroys much of America's telecommunications and power grids). The immediate result is the death of tens of thousands of Americans. the long-term result is the impoverishment of most Americans, as the economy is set back to the 1950s, if not to the 1930s. The people of those earlier days had the advantage of knowing how to do things with their hands, which is untrue of most Americans these days. Do you think for a moment that very many Americans would choose poverty over the rights of someone who is almost certainly a terrorist bent on doing them harm? The Constitution is not a suicide pact.

The Apple case has nothing to do with the 4th Amendment. There's a court order based on probable cause, plus the owner of the phone has consented to the search; that satisfies whatever 4th amendment problems might exist.The real issue is whether the powers claimed by the Government under the All Writs Act are constitutional. The government is claiming it has the power to force Apple to write software in aid of a criminal investigation - to me that sounds an awful lot like a forced draft into a police force. What constitutional provision gives the government this power? I can't think of any but this is not my speciality. Anyway, that's the question the courts will have to decide if they conclude that the government has satisfied the prerequisites under the All Writs Act for an order of compulsion.

The difference between demanding that Apple hand over something they already have and demanding that they create something completely new.

Question: suppose that the government gets complete technical details on the hardware and software of the telephone under a subpoena issued for one investigation, is the government then free to use that information in other investigations without getting a new warrant?

Bad answer. The owners of all the other iPhones have not consented and it hurts them badly for Apple to comply. The government wants Apple to write a piece of malware, sign it as a legitimate update, and then hope the genie will stay in the bottle.

Maybe I haven't been paying enough attention. The phone in question belongs to someone who we know committed a serious crime. Law enforcement would like to know the contacts this person made via his phone in order to investigate possible further criminal activities the person may have been involved and with whom. Why can't law enforcement get a warrant to compel Apple to search the phone and turn over the list of contacts made via that phone. Government law enforcement need not be provided with software to unlock the phone. Won't that work? I'm not a lawyer, so those who know the law, please inform me.

A policy answer, not a legal answer: Because then the Trump administration can demand that Apple unlock Hilary Clinton's phone, the Hilary Clinton administration can demand that Apple unlock Donald Trump's phone, and the Chinese government can demand that Apple unlock the phone of every dissident in China.

Unless I'm mistaken, the phone belonged to the San Bernadino Dept of Public health and there is no reason to believe that "it" committed serious crime. However, it was used by someone we know who committed a serious crime and who is now dead. Unlocking the phone will not help convict that person.

We do not now know everything the FBI knows; however, it appears that the FBI has no probable cause to believe that anyone else other than the deceased assailants (and the person who bought their weapons) has committed a crime and I think they've already admitted that. It would be somewhat different if the FBI had probable cause to believe that someone who committed a crime and is still available for trial called that phone or was called via that phone.

As it is, this is what in the business is called a "fishing expedition" And, as far as privacy is concerned, Ben, above, gave a very good answer: unlocking that phone is tantamount to unlocking everyone's Apple iPhone. I'm sure the FBI could uncover quite a few crimes (serious and otherwise) if it were given access to the contents of every iPhone in the country whether or not there is probable cause to believe that anyone connected with those phones has committed a crime and that the evidence obtained by a search would possibly assist in convicting that person. But, is that the kind of tradeoff American citizens want?

The drafters of the 4th Amendment were very aware of this tradeoff and they chose to reserve to citizens their privacy against such "fishing expeditions" and protect them against the tyranny that unwarranted invasions of privacy would invite.

As I understand it, the FBI is asking Apple to make it easier for the FBI to use brute force cracking techniques on the phone. And if the owner had a long pass phrase instead of a 4 digit passcode, they might even not be able to do that.

Inskeep's way of framing the question may be unsavory, but the reverse question is routinely framed in similarly silly ways. People who say we don't have to choose between privacy and security don't understand trade-offs. Sure, some privacy can be guaranteed without compromising security, and some security can be guaranteed without compromising privacy, but once we've arrived at the privacy-security frontier, you only increase privacy by reducing security and vice versa. Essentially no one opposes increasing privacy without reducing security, and vice versa--the debate is at the margin.

There is of course room for debate about whether we are in fact at the frontier, but on basically all of the controversial areas there are experts who reasonably disagree about whether measure X which reduces privacy really advances security. That tells me that these things are not easy calls. One hard problem is how much privacy we're willing to trade for how much security, and vice versa. The other hard problem is how much any given proposal actually advances/diminishes privacy and security.

The arguments you raise are great arguments--they're the reason why many experts take the pro-privacy side of many of these debates. But there are counterarguments made by experts on the pro-security side of many debates. Who is right? I don't know, but I think it's a non-trivial issue and if we're going to advance the conversation we need to present the best arguments from all sides, and ultimately we'll have to live with the fact that different people will (reasonably) make different judgment calls.

That article and the linked technical spec largely miss the point (it is at the very end of the technical spec). This is only feasible for the iPhone 5C and does not involve new software, as the comments above suggest. It is a known bug in the old software that Apple removed. The bug requires the FBI to spoof Apple's remote update feature or for Apple to simply update the phone. Forcing Apple to push out an update to newer iPhones won't work (the Secure Enclave in the technical spec). Perhaps they can compel Samsung, Google, etc., but those companies can just overcome this technical deficiency as well (if it exists). There is no "backdoor" at this stage, although the administration is asking for one. It appears that the concern and comments are accurately addressed at a backdoor, but this lawsuit is not that bogeyman.

hm, I don't believe the Great and Powerful Hillary has enough self awareness to think information security is something people should have.

Actually, let me correct that: the real people like her, sure they deserve absolute privacy. But the little people? Well, how are their betters supposed to make sure they do the right thing without being able to see every little thing they do.

IMHO, the concerns about privacy are overblown and the San Bernardino case is the wrong test case and the wrong place to try to draw a line. I personally see little social "cost" associated with giving the police the power, with a search warrant, to search encrypted data on cell phones. Fifty years ago no one would have doubted that a search want gave the police the right to break into a locked safe. What "secret" information do you have on your cellphone?

A few yeas ago, a young woman, Holly Bobo, was abducted and murdered. A witness said she had seen a video on an Apple phone of the victim being abused by the accused. The authorities have not been able to crack the cell phone. Do I wish there was a backdoor into the phone - you bet I do. Would I support forcing Apple to unlock that phone if they could - you bet I would.

There are much bigger potential threats to privacy. Widespread recording of car license plate numbers or CCTV coupled with facial recognition or the moves to abolish cash for three examples.

I think from the update you misunderstand the FBI's demand. They are asking Apple to write a piece of malware, digitally sign it, and allow it to be loaded on the target phone as an update. The malware is not itself a back door. The malware will only disable a key feature of the encryption security. That key feature is the destruction of the decription key after 10 incorrect passwords are attempted.

While this would not be a back door, it would be the first step in allowing the FBI to create a back door - and not just for this device. The FBI believes they can brute force the password in a reasonable period of time as long as they get unlimited attempts. For a good understanding of the problem, here is Professor Matthew Green from John Hopkins Department of Cryptography. The security Apple has is only as strong as the passwords chosen. If a pin is used instead of a strong pass phrase, half an hour might be enough.

The arguments for more general, police state authority seem to run around these special case arguments. It's all "What is the phone is never opened, what if then the government misses a chance to find some other suspect and disrupt some attack, what if the attack goes forward, what if thousands of people are killed. Was it worth it?" That sort of reasoning can be used to justify anything but do we want to justify anything? How about "What if the government suspects your neighbor of having terrorist sentiments, what if at that point the government misses an extra legal chance kill him outright and disrupt some attack, what if the suspected attack happens, what if thousands of people are killed. Was it worth it?" Those sorts of special case arguments historically lead to shortsighted policies that end up being black marks on the US government's record. I am thinking of things like communist blacklists or Japanese internment during WWII. But I'm sure Americans are aware of better examples of shortsighted transgressions by their government. Here are some questions that could offer a better chance of arriving at a legal system Americans might want to live under. (a) What general freedoms need to be protected with respect to property? (b) What general freedoms need to be protected with respect to communication? (c) What restraints on the security apparatus are prudent and desirable given history and given the aspirations of the people? (d) What imperfections in any policy are acknowledged and accepted given the country that Americans would aspire to have?These kind of general questions lead to sounder decisions and clearer thinking than the muddled "what if, what if, what if" roads that people seem to want to talk about.

as far as i know, with a court order, the Fed Gov't (FBI/District Attorney) can look at almost any record you might have: tax returns, bank records, any paper in your house, telephone logs, they can wiretap your phone or even your living quartersThe things the FBI can't look at ,ever, are pretty limited: priviledge with attorney, rabbi, doctor and spouse.

yet, for some bizarre reason, an iphone is different: the FBI can get a court order to look at your taxes, but there is this magic something that says we can't look at an iphoneif you printed out what was on your iphone, and hte FBI had a warrant to search your home and seize records, would anyone argue that the iphone printouts are somehow exempt because ..??

I must have missed something. The fourth amendment only precludes unreasonable searches and seizures. There is a court order. We are either a nation of laws or we are not. OK if Apple wants to litigate the constitutionality of the court ordered search/seizure. Given Apple's past history of compliance with other court ordered searches and similar activities, I would have thought quiet compliance in a protected, off-line environment within Apple headquarters would have little consequence for privacy - or at least no more consequence for privacy compared to other Apple encryption functionality. Remember, when their is a search warrant, if the police don't have a key, they can knock down the wall. Failure to comply, may mean an escalation, a new search warrant for all Apple encryption functionality. Else, I must have missed something here.

It isn't Apple's iPhone. The fourth amendment allows the government to obtain a warrant to search your property. It doesn't give the government the right to command someone else to spend resources as the government's agent. The locked safe scenario is not a proper analogy. The locked safe analogy would allow the government to command the safe manufacturer to create a key when such a key does not exist. And spend the resources without compensation.

Thanks to a few abusers I am now moderating comments. I welcome thoughtful disagreement. I will block comments with insulting or abusive language. I'm also blocking totally inane comments. Try to make some sense. I am much more likely to allow critical comments if you have the honesty and courage to use your real name.

About Me and This Blog

This is a blog of news, views, and commentary, from a humorous free-market point of view. After one too many rants at the dinner table, my kids called me "the grumpy economist," and hence this blog and its title.
In real life I'm a Senior Fellow of the Hoover Institution at Stanford. I was formerly a professor at the University of Chicago Booth School of Business. I'm also an adjunct scholar of the Cato Institute. I'm not really grumpy by the way!